Open-Source Intelligence

A good blog: https://ohshint.gitbook.io/oh-shint-its-a-blog/

Search Engine OSINT

Image OSINT

Email OSINT

Discovering Email Addresses

Hunter.io Phonebook.cz Clearbit chrome extension

Email address verifiers

emailhippo https://tools.emailhippo.com/

emailchecker.net https://email-checker.net/

Password OSINT

Hunting breached passwords

  • DEHASHED.com (paid):
  • WeLeakInfo - https://weleakinfo.to/v2/
  • LeakCheck - https://leakcheck.io/
  • SnusBase - https://snusbase.com/
  • Scylla.sh - https://scylla.sh/
  • HaveIBeenPwned - https://haveibeenpwned.com/

Username OSINT

  • NameChk - https://namechk.com/
  • WhatsMyName - https://whatsmyname.app/
  • NameCheckup - https://namecheckup.com/

People OSINT

WhitePages - https://www.whitepages.com/ TruePeopleSearch - https://www.truepeoplesearch.com/ FastPeopleSearch - https://www.fastpeoplesearch.com/ FastBackgroundCheck - https://www.fastbackgroundcheck.com/ WebMii - https://webmii.com/ PeekYou - https://peekyou.com/ 411 - https://www.411.com/ Spokeo - https://www.spokeo.com/ That'sThem - https://thatsthem.com/

Hunting Phone Numbers

TrueCaller - https://www.truecaller.com/ CallerID Test - https://calleridtest.com/ Infobel - https://infobel.com/

Finding birth dates

Google "Pedro Cardoso" intext:"happy birthday" "Pedro Cardoso" intext:"happy birthday" site:facebook.com

Searching for resumes

"pedro cardoso" resume site:dropbox "pedro cardoso" resume site:drive.google.com

Social Media OSINT

Twitter OSINT

  • Socialbearing.com
  • twitonomy
  • sleeping time
  • mentionmapp
  • spoonbill - see twitter changed
  • tinfoleak
  • tweetdeck

Facebook OSINT

Sowdust Github - https://sowdust.github.io/fb-search/

IntelligenceX Facebook Search - https://intelx.io/tools?tab=facebook

Instagram OSINT

Wopita - https://wopita.com/

Code of a Ninja - https://codeofaninja.com/tools/find-instagram-user-id/

InstaDP - https://www.instadp.com/

ImgInn - https://imginn.com/

Website OSINT

BuiltWith - https://builtwith.com/

Domain Dossier - https://centralops.net/co/

DNSlytics - https://dnslytics.com/reverse-ip

SpyOnWeb - https://spyonweb.com/

Virus Total - https://www.virustotal.com/

Visual Ping - https://visualping.io/

Back Link Watch - http://backlinkwatch.com/index.php

View DNS - https://viewdns.info/

Sub domain finders

Pentest-Tools Subdomain Finder - https://pentest-tools.com/information-gathering/find-subdomains-of-domain#

crt.sh - https://crt.sh/

Shodan.io

city: atlanta port: 3389 org: choopa

Wireless OSINT

WiGLE - https://wigle.net/

OSINT Tools

Image and locations OSINT

exiftool

Hunting emails and breached data

theHarvester -d tesla.com -b yahoo -l 100 (tool) (target domain = tesla.com) (list 100 results max) (source = yahoo)

h8mail - https://github.com/khast3x/h8mail

Username and account OSINT

whatsmyname -u thecybermentor
sherlock thecybermentor

Phone Number OSINT

phoneinfoga scan -n 14082492815
phoneinfoga serve -p 8080

Website OSINT

whois tcm-sec.com

Subfinder - https://github.com/projectdiscovery/subfinder

subfinder -d tcm-sec.com

Assetfinder - https://github.com/tomnomnom/assetfinder

assetfinder tcm-sec.com

httprobe - https://github.com/tomnomnom/httprobe

Find alive endpoints

cat tesla.txt | sort -u | httprobe -s -p https:443

Amass - https://github.com/OWASP/Amass

amass enum -d tcm-sec.com

GoWitness - https://github.com/sensepost/gowitness/wiki/Installation

Take screenshot of the website if its alive

gowitness file -f ./alive.txt -P ./pics --no-http

OSINT Frameworks

recon-ng

Add API keys

keys add shodan_api keys list

Modules

show modules search use recon/domains-hosts/builtwith show infos set

Workspaces

show workspaces workspaces list workspaces add Name workspaces select

Add companies and domains to a schema

show schema add compagnies company add domains domain.com show domains

Contacts

show contacts